How Can Law Firms Strengthen Their Cybersecurity Weak Spots?
More and more law firms in the United States and around the world are being hacked by cybercriminals, who seek to secure sensitive emails, documents and…
August 02, 2017 at 11:24 AM
4 minute read
The original version of this story was published on Law.com
More and more law firms in the United States and around the world are being hacked by cybercriminals, who seek to secure sensitive emails, documents and other legal work.
In many cases, the cybersecurity weak spot for many law firms is not their perimeter security system, but their internal data security and governance systems. Cyber criminals can use phishing or other methods to get through a strong perimeter security defense, and once inside, can access all of a firm's emails and documents.
Without strong document and monitoring systems in place, cyber criminals can continue to access these documents for days, weeks or even months without the law firm realizing. Firms can address these weaknesses by deploying technologies that restrict access to sensitive content to only those employees who need this information. This helps quickly identify potential attacks
Rafiq Mohammadi, Chief Scientist and Co-founder, iManage, recently sat down with Inside Counsel to discuss how stopping attacks is only one part of a strong legal data security strategy.
Today, law firms are trusted advisors and work on the most sensitive corporate transactions—mergers and acquisitions, SEC filings, corporate restructuring, litigation, patent applications and employee contracts.
“It is fair to say that nothing important takes place without the interaction of the corporate general counsel and law firms,” said Mohammadi. “The most sophisticated cyber criminals and state actors are now fully aware that breaching a law firm yields highly sensitive information across multiple businesses.”
Unfortunately, in today's landscape, stopping attacks is only one part of a strong legal data security strategy. Law firms have invested significantly in both perimeter defense and employee training. According to Mohammadi, the critical next steps are:
1) Assume that defenses have been breached and invest in rapid detection of breaches and quick effective action. There are numerous case studies that demonstrate that once breached, the threat stays persistent for months. It is imperative to identify and seal breaches quickly—in the best case scenario, quick elimination translates into effective automated near real-time counter measures.
2) Protect client confidentiality by ensuring that access is on a need-to-know basis rather than broad public rights.
3) Proactive continuous auditing to demonstrate that the implemented defenses are working as planned.
4) Routine employee oriented exercises that test and demonstrate the value of information security hygiene – there are many specialized companies in this area.
5) Insistence on rigorous standards compliance for both on premise and hosted software—vendors must effectively demonstrate how they code, test and deploy software.
6) Expert outside assistance that objectively ranks the effectiveness of security measures.
“In a nutshell, good security is based on layered or in-depth defense. This is a highly-specialized domain and whenever possible law firms should invest in a Chief Security Officer,” said Mohammadi.
So, why is cybersecurity a weak spot for many law firms and their internal data security and governance systems?
“It took a while to understand that the most sophisticated attacks are carried out using automated tools that probe for any weak spot. The industry is in the midst of realizing that severity of threats has increased exponentially over the last five years and consequently the response must be far more sophisticated,” explained Mohammadi. “The biggest single realization has been the inability of perimeter defense to neutralize threats – in other words the industry has had to understand that breaches are a certainty and consequently companies must plan and deal with it.”
Mohammadi advises that law firms address these weaknesses using CERT – a very valuable resource on the nature of phishing and effective counter measures.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
US Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Trending Stories
- 1Pa. Hospital Agrees to $16M Settlement Following High Schooler's Improper Discharge
- 2Connecticut Movers: Year-End Promotions, Hires and an Office Opening
- 3Luigi Mangione Defense Attorney Says NYC Mayor’s Comments on Case Raise Fair Trial Concerns
- 4Revisiting the Boundaries Between Proper and Improper Argument: 10 Years Later
- 5Hochul Vetoes 'Grieving Families' Bill, Faulting a Lack of Changes to Suit Her Concerns
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250